[PATCH 0/2] Timing leaks in certain HW-crypto drivers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[resend to linux-crypto]

Hi,

the following patches fix timing leaks which are introduced by using
(non-constant time) memcmp() to verify cryptograhic authentication tags.
Specifically, the AES-GCM and AES-CCM implementations in the IBM Power
in-Nest Crypto acceleration driver and the AEAD decryption function in the
Freescale SEC (talitos) driver are vulnerable to this kind of attack.
These timing leaks can be used by an attacker to find the correct
authentication tag value for arbitrary messages with far less effort
than brute-force testing all 2^n possible values for a n-bit tag.

The fix is rather simple: Use crypto_memneq() as the generic implementations
in crypto/* already do.

Kind regards,
David


David Gstir (2):
  crypto: nx - Fix timing leak in GCM and CCM decryption
  crypto: talitos - Fix timing leak in ESP ICV verification

 drivers/crypto/nx/nx-aes-ccm.c | 2 +-
 drivers/crypto/nx/nx-aes-gcm.c | 3 ++-
 drivers/crypto/talitos.c       | 2 +-
 3 files changed, 4 insertions(+), 3 deletions(-)

-- 
2.1.4

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux